A cat-and-mouse game has begun between Apple and Chinese tech companies, as the iPhone maker tries to enforce its new privacy policies in China.
Apple is expected to roll out changes to iPhones in the Spring that will give users more privacy from mobile advertising, a market that hit $240bn last year, according to App Annie.
The changes will force apps to ask for permission before collecting tracking data on users, a move that has been bitterly fought by Facebook, since most users are expected to say no.
But even before introducing the changes, Apple is facing problems in China, where tech companies are testing ways to beat the system and continue tracking users without prompting for their consent. Apple previously said it would reject from its App Store any apps that “are found to disregard the user’s choice”.
On Thursday, Apple fired pre-emptive warnings to at least two Chinese apps, telling them to cease and desist after naming a dozen parameters such as “setDeviceName” that could be used “to create a unique identifier for the user’s device”.
“We found that your app collects user and device information to create a unique identifier for the user’s device,” reads a screenshot of a warning to one developer who was using a new way of identifying users called CAID, which was developed by the state-backed China Advertising Association.
Its guidelines suggest an update must be “compliant with the App Store Review Guidelines within 14 days” or “your app will be removed from sale”.
Jackie Singh, former senior cyber security staffer to the Biden Campaign, said the warnings demonstrated Apple’s sophisticated ability to use automated tools to detect violations of its privacy guidelines.
“Apple clearly has the technical capability to deny the existence of apps in their ecosystem which perform activities intended to uniquely identify people and track their behaviour outside of Apple’s walled garden,” she said.
“The real question is whether they will choose to broadly or narrowly enforce these policies within the context of a foreign government’s whims and desires — and how Apple will choose to respond to such challenges from other nations moving forward.”
Apple’s move is an attempt to nip in the bud any resistance to its new policy, which has been deeply unpopular with developers worldwide, many of whom offer free apps that make money from ads.
A marketing industry veteran who wished to remain anonymous added: “Apple’s new policy will hurt the advertising industry’s ability to verify their traffic. In China, big and small firms were all testing out the CAID, but Apple’s recent actions will put a stop to these tests.”
The Financial Times has obtained information about the software development kits from five of China’s biggest tech companies, including Baidu, ByteDance, and Tencent, that show they are testing or implementing CAID as a way of identifying users in the future.
ByteDance’s guide recommends developers use its SDK, “Ocean Engine,” to “issue” two new identifiers, CAID1 and CAID2, one based on a user’s IP address and the type of browser and phone; another on a phone’s IMEI — a unique number that identifies a device on a mobile network.
Both new IDs violate Apple’s rules, which state that developers must obtain permission to use “other IDs with a third-party advertising network”.
As a “fallback,” ByteDance also recommends developers use “fingerprinting and probabilistic matching” methods to identify users — another violation.
Tech experts say the fact that Chinese tech companies are creating multiple identification systems suggests that Chinese apps will tweak their submissions in numerous ways to get past Apple’s enforcement.
“The SDKs suggest that [Chinese app developers] are prepared to play that cat-and-mouse game,” said one Western coding expert who asked not to be named.
Singh noted that CAA’s privacy terms, which are publicly available, suggest that a CAID can initially be created on servers hosted by app developers rather than on the device itself. She said this could indicate that developers may try to get their apps approved by Apple by making changes at the server level that are harder to detect.
“If the app is written in such a way that the actual CAID code exists remotely and the parameters are sent off to a server, this could make detection more difficult,” she added.
The efforts to undermine Apple’s new privacy push will put the $2tn tech giant in a bind.
“Either [Apple] upsets Chinese companies — in some cases government owned or backed — potentially arresting its meteoric growth in China over the past decade and disrupting a core part of its supply chain, or it gives Chinese developers special privilege and opens up that can of worms,” said Alasdair Pressney, director of product strategy at AdColony, a mobile in-app an network and marketplace.
Apple declined to comment.
How does CAID work?
The state-backed China Advertising Association, which led the development of CAID and earns revenues from its use, said it plans to provide “more personalised services” to consumers by collecting and storing personal information including “device start-up time, country, language, device name, system version, physical memory, hard disk, time of last system update, device model, timezone.”
These seemingly trivial data points can, when put together, create a near-unique “fingerprint” of a device.
When an iPhone user installs an app that uses the system, it will collect this data and send it to a central server to create a CAID to identify the user.
If the user then clicks on an ad for another app, and downloads it, that app will also generate a CAID in the same way.
If the two CAIDs match, then the first app can prove to the second that its ad worked, proving that the money spent on advertising was worthwhile.
The CAA says users will be able to opt out of CAID to avoid being tracked, but Apple’s new rules do not allow exceptions to App Tracking Transparency, its framework for any developer that wants to collect data on users.